<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Common SSL/TLS exceptions | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'trb-security-ssl.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-ssl.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/trb-security-ssl.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/trb-security-ssl.html" rel="nofollow" target="_blank">../en/trb-security-ssl.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="security-troubleshooting.html">Troubleshooting security</a></span>
»
<span class="breadcrumb-node">Common SSL/TLS exceptions</span>
</div>
<div class="navheader">
<span class="prev">
<a href="trb-security-sslhandshake.html">« SSLHandshakeException causes connections to fail</a>
</span>
<span class="next">
<a href="trb-security-kerberos.html">Common Kerberos exceptions »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="trb-security-ssl"></a>Common SSL/TLS exceptions<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/troubleshooting.asciidoc">edit</a>
</h2>
</div></div></div>
<p><span class="strong strong"><strong>Symptoms:</strong></span></p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
You might see some exceptions related to SSL/TLS in your logs. Some of the
common exceptions are shown below with tips on how to resolve these issues.<br>
</li>
</ul>
</div>
<p><span class="strong strong"><strong>Resolution:</strong></span></p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">WARN: received plaintext http traffic on a https channel, closing connection</code>
</span>
</dt>
<dd>
<p>Indicates that there was an incoming plaintext http request. This typically
occurs when an external applications attempts to make an unencrypted call to the
REST interface. Please ensure that all applications are using <code class="literal">https</code> when
calling the REST interface with SSL enabled.</p>
</dd>
<dt>
<span class="term">
<code class="literal">org.elasticsearch.common.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:</code>
</span>
</dt>
<dd>
<p>Indicates that there was incoming plaintext traffic on an SSL connection. This
typically occurs when a node is not configured to use encrypted communication
and tries to connect to nodes that are using encrypted communication. Please
verify that all nodes are using the same setting for
<code class="literal">xpack.security.transport.ssl.enabled</code>.</p>
<p>For more information about this setting, see
<a href="security-settings.html" class="ulink" target="_top">Security Settings in Elasticsearch</a>.</p>
</dd>
<dt>
<span class="term">
<code class="literal">java.io.StreamCorruptedException: invalid internal transport message format, got</code>
</span>
</dt>
<dd>
<p>Indicates an issue with data received on the transport interface in an unknown
format. This can happen when a node with encrypted communication enabled
connects to a node that has encrypted communication disabled. Please verify that
all nodes are using the same setting for <code class="literal">xpack.security.transport.ssl.enabled</code>.</p>
<p>For more information about this setting, see
<a href="security-settings.html" class="ulink" target="_top">Security Settings in Elasticsearch</a>.</p>
</dd>
<dt>
<span class="term">
<code class="literal">java.lang.IllegalArgumentException: empty text</code>
</span>
</dt>
<dd>
<p>This exception is typically seen when a <code class="literal">https</code> request is made to a node that
is not using <code class="literal">https</code>. If <code class="literal">https</code> is desired, please ensure the following setting
is in <code class="literal">elasticsearch.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.http.ssl.enabled: true</pre>
</div>
<p>For more information about this setting, see
<a href="security-settings.html" class="ulink" target="_top">Security Settings in Elasticsearch</a>.</p>
</dd>
<dt>
<span class="term">
<code class="literal">ERROR: unsupported ciphers [...] were requested but cannot be used in this JVM</code>
</span>
</dt>
<dd>
<p>This error occurs when a SSL/TLS cipher suite is specified that cannot supported
by the JVM that Elasticsearch is running in. Security tries to use the specified cipher
suites that are supported by this JVM. This error can occur when using the
Security defaults as some distributions of OpenJDK do not enable the PKCS11
provider by default. In this case, we recommend consulting your JVM
documentation for details on how to enable the PKCS11 provider.</p>
<p>Another common source of this error is requesting cipher suites that use
encrypting with a key length greater than 128 bits when running on an Oracle JDK.
In this case, you must install the
<a class="xref" href="ciphers.html" title="Enabling cipher suites for stronger encryption">JCE Unlimited Strength Jurisdiction Policy Files</a>.</p>
</dd>
</dl>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="trb-security-sslhandshake.html">« SSLHandshakeException causes connections to fail</a>
</span>
<span class="next">
<a href="trb-security-kerberos.html">Common Kerberos exceptions »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>